[SSL Observatory] Diginotar broken arrow as a tour-de-force of PKI fail
Jacob Appelbaum
jacob at appelbaum.net
Tue Sep 6 00:50:39 PDT 2011
On 09/06/2011 09:12 AM, Peter Gutmann wrote:
> Erwann ABALEA <erwann at abalea.com> writes:
>
>> But the client can include a nonce in the request and compare it with the
>> response
>
> The response will come back without the nonce. That was Verisign's
> "performance optimisation" (since copied by other CAs).
>
>> And if it doesn't fit the client request, or not within the client "good
>> timeframe", this response will be discarded. Then, depending on the client,
>> this will be a hard fail, or a switch to CRLs.
>
> This relies on synchronised clocks between client and server, which is often
> not the case (there have been various informal studies by web sites on how
> out-of-sync client PC clocks are, I can dig up some refs if required, but in
> practice clocks are all over the place). In addition the SSL handshake
> advertises how out-of-sync the client's clock is in the first message it
> sends, so an attacker can use that to see which stale response to replay.
>
Consider the case where a user is on a GSM cell phone and the attacker
controls the entire phone network - they can set the time on the phone
to be whatever they'd like.
All the best,
Jacob
More information about the Observatory
mailing list